Attorneys from Orrick, Herrington & Sutcliffe LLP write:
On February 10, 2025, a Washington state resident filed a lawsuit on behalf of herself and similarly situated individuals against Amazon under the Washington My Health My Data Act (MHMD). This is the first lawsuit brought under MHMD’s private right of action.
Because MHMD regulates non-HIPAA consumer health data, broadly defined, and allows any Washington resident (and others whose consumer health data is collected in Washington) to enforce alleged violations, businesses should take notice of this development and re-assess if they may have exposure under it or need to improve their MHMD compliance program.
What MHMD Regulates
MHMD regulates entities that (1) conduct business in Washington or produce or provide products and services targeted to “consumers” in Washington, and (2) determine the purpose and means of the collection of consumer health data. “Consumers” includes Washington residents as well as any individuals whose consumer health data is collected in Washington.
Moreover, the definition of “consumer health data” is far-reaching. It includes not only what would traditionally be considered health information, such as individually identifiable information regarding an individual’s physical and mental health and condition, but also biometric data and precise location information that could indicate a consumer’s attempt to acquire or receive health services or supplies.
What the Plaintiff Alleges
The plaintiff alleges that Amazon violated MHMD by failing to (1) obtain the plaintiff’s consent prior to collecting her consumer health data, including location and biometric data, and (2) provide disclosures that must accompany a request for consent.
Read more at Orrick.
via JDSupra